The federal government hasn't had a budget for four years until less than a month ago[0]. Up until then, our government was funded with a variety of appropriations bills as stop-gap measures. When a large organization doesn't have a budget, how do they make long-term investments in their IT infrastructure? So, the IRS can't very well execute a major migration when they don't have a budget and they aren't going to do so a few weeks before April 15th.
Yes, this is wasteful, but what else could the IRS have done without approval from congress?
but what else could the IRS have done without approval from congress?
Patching the security issues themselves? I know this can be complex in many cases but the security and reverse engineering community have this knowledge, probably not fixing the whole issue but at least blocking it.
This is an interesting article, I give you that. But you have to be realistic. The IRS patching security issues in Windows XP is about as realistic as my grandma building her own home automation iPhone app in objective C.
The IRS is not paying $11M for the development know-how to maintain security; it's true that they could probably shop around and find the services they need for much less.
No, they're paying $11M so they can say "We paid Microsoft $11M! What else could we possibly do?" when something goes wrong.
Something tells me you did not understand the above comment... He's saying the IRS could shift responsibility based on the fact they paid the worlds biggest software vendor 11mil... Switching to Linux puts the responsibility back in the IRS's court...
Official patches are more trustworthy in the enterprise and public service world. Whether those patches are better or worse is up for another debate.
You wouldn't want someone downloading random patches off the Internet or hiring a non-MS employee to make a patch without hiring multiple people to verify the integrity and usefulness of the patch (think backdoor) to fix computers handling your tax information. Do you?
I wouldn't.
You wouldn't download a random patch for heartbleed until openssl releases the official notice and patch. Or you won't download because you want the fix from your distro vendor.
The question was not would you install a random patch but would you be ok with the IRS installing random patches when creating a backdoor could easily be worth 100+million?
First, I don't like the "random patch" expression. I am talking about patches discussed by the reverse engineering and security community. IRS is already patching their systems in a similar way when they update a Linux distribution.
No really, The IRS will use something like Red Hat and the Red Hat Corporation will be providing a level of guarantee which the IRS can fall back on should they need to.
If they just pull patches from the community themselves, when something goes wrong they will have to take the blame themselves and people will think they are foolish being so reckless. As a techie, this option may seem feasible to you but then again you're just some random guy on HN who probably thinks node.js is the be all and end all of IT. I doubt you've got the intelligence (cleary) or the experience (very cleary) to understand how the IT industry works at a human, risk management and legal level.
It's funny how you talk about me without knowing me. You don't even made a background check to see if I adjust to your node.js bias.
No, my company sells hard core technology to big vendors and sign the kind of corporate contracts that you refer in your comment. Since the IRS will not solve the issue there is another route: selling a hotpatch service to another vendor who sells to the IRS.
> With a good community making hotpatches, and explaining their fixes I will install them.
You will have to be reassure that your patch will work and is risk free. If not, get ready for a bill and possibly a congressional hearing.
Good community is great, but you need to shift responsibility whenever possible. Not that there aren't any kernel hackers work in the public service sector, but they have other important things to do than fixing someone else' product if there's a choice.
Yes, this is wasteful, but what else could the IRS have done without approval from congress?
[0] http://www.reuters.com/article/2013/03/23/us-usa-fiscal-budg...